Change is Automatic, Progress is Not

March 15, 2017 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

I landed my first ‘proper’ summer job in 1998 working as a call operator for a pager company.

Back then mobile phones weren’t the commodity they are today, and text messaging was not a readily available feature. Pagers served as a cheap and accessible alternative, a small device with a screen that would display a short message.

My job was to receive incoming calls, type out the message, and send it to the relevant pager. On the whole it was a boring and repetitive job, with few breaks, and strict managers. On the plus side, the workforce consisted mainly of students like myself that were grateful for an easy job that paid £4 an hour.

Mixing youthful exuberance with decent pay created a certain buzz around the office. Particularly on warm summer days when the sun would pour in through the windows, and just over 350 operators would be busy on calls, spinning on chairs, throwing Maltesers at each other - trying desperately not to laugh while typing out a message informing Dr. Jones she was needed in ward number 3. It created a vibrant atmosphere that resembled a mixture of a daytime club with a scene out of Wall Street.

But nothing lasts forever, and a few short years later the office was abandoned and the company had folded.

Mobiles phones were the reason. Lower prices had made them accessible to the masses - and once text messaging services took off, the humble pager became obsolete.

Usually a new technology will cannibalise one industry, like how CD’s impacted vinyl records. Mobile phones, on the other hand, were not satisfied with just impacting the pager industry. As functionality and capabilities of handsets grew, so did its targets. Mobiles became the de-facto camera, music player, email client, and internet browser. With the explosion of ‘apps’ the capabilities have only increased.

The term ‘disruptive’ is thrown around a lot regarding technology. Perhaps mobile devices deserve the term more than any other - forcing many industries to change, or wiping them out altogether.

Standard point-and-shoot camera capabilities have been outpaced by mobiles, forcing camera manufacturers to focus more on the ’prosumer’ market, catering to consumers that don’t necessarily need professional equipment, but need something that packs more of a punch than the standard phone camera.

Similarly, toy manufacturers are seeing children move away from physical toys to software-based entertainment. Everything from publishing, taxis, shopping, or even banking and payments has been disrupted as consumers want maximum functionality crammed into their handheld device.

The “other” disruptor - Tales from Three Former Colleagues

*

Based on his work experience, I guess “Tim” to be in his mid-forties. His heavy set and weary face tell the story of someone that has lost far too many hours on support calls over the years. He started work in IT and then moved into IT Security, working his way up the ranks to middle-management in charge of a team of 11 at a fortune 500 company.

We are in a coffee shop tucked away in one of the many small lanes behind Aldgate East. The melting pot of where London’s financial hub bleeds into the East-End, Jack the Ripper territory of Brick Lane.

Tim lets out a deep sigh when I ask about disruptive technologies and mobile phones. He runs his index finger along the brim of his coffee cup, before flashing the briefest of smiles. “Mobiles, tablets and this whole bring your own whatever nonsense has changed stuff for sure. But cloud is where the real change has happened.”

“But change is good right? It’s progress?” I ask.

Tim pauses, his finger stops running along the rim of the cup. “No, that’s where you’re dead wrong. Change doesn’t always mean progress. Change can just happen, progress… progress you have to work on.

We had business units going out, corporate credit card in hand buying any cloud service they wanted. Bypassing IT Services whenever they felt they could get a better deal - which, to be honest they could. Most of our engineers were scared… maybe scared is a strong word. Umm no, scared is probably right. They were scared that they could become redundant, the cloud would take over their jobs.”

* *

The Skype icon on my tray bounces up and down as a message pops up, ‘OK I’m ready to chat now’ says “Jack”. I hit the call button - it rings a couple of times before I hear a familiar chirpy voice, “Jav man! How are you doing? Sorry was a bit late, someone is leaving and we ended up having a long lunch.”

Jack has always been a ‘glass half full’ kind of guy. He came from a non-traditional background, starting as an apprentice straight out of school and worked his way through doing every and any job he could. He’s never let his lack of formal education stop him, in fact he wore it as a medal of honour and didn’t make many attempts to recover the t’s he constantly drops from his words. Even though IT Security was his primary skill, if you needed any job doing, you could almost guarantee Jack had some experience in it.

I enquire about his cloud experiences.

“You’ve got to be more specific than just saying cloud dude!” He says with his usual style, like how your grandfather would possibly explain something to you if they were 25. “We were virtualising servers before everyone jumped on the private cloud bandwagon. They are great, but you still have to run your own datacentre. The public cloud is where the fun is at. You get to have all the fun, while some other poor sap has to worry about maintaining a datacentre and keeping the lights on. We’ve had to be careful about how we roll out cloud though. It’s like a garden, if you don’t tend to it, it can be quickly overrun with weeds.

But overall, I’d say it’s cut out nearly all the red tape. You need an environment stood up, it’s no problem at all. There’s only one short form to fill in and you’re off, usually on the same day. It’s a far cry from the 10 working days we used to promise, but never achieve. You’d be lucky to get anything in place in a month. It was terrible! I’d say cloud saved me many premature grey hairs!”

*

"Karen" ushers me into a small meeting room which has a spectacular view over the city of London. I resist the temptation to pull out my phone for a quick panoramic photo. I am conscious of the fact that Karen is an extremely efficient, and often busy person. I want to remain respectful of her time, and briefly acknowledge the view before sitting down.

I once worked with Karen when I was an independent contractor and was always impressed by her focus and clarity of vision. To plan and execute quickly, Karen was the go-to person.

“Cloud adoption has been very rapid. But not everyone is up to speed on what the change actually means. You need to look beyond the superficial stuff that everyone goes on about and see how cloud works with your business.

Outsourcing the management of your infrastructure is fine from a technical point of view, but there is also a mind-set change that needs to go along with it.

The biggest problem when people outsource is that they still want control. They have this inner desire to need to know how everything is happening because that’s how they’ve always been trained to look at and assess risks. But that’s not always possible in the cloud, there are areas that only the provider is responsible for, so forget that and pay attention to what you are responsible for.

I think internal audit is one of the biggest culprits in this. They have out-dated checklists they desperately try to cling to. You can’t start slapping legacy controls into a cloud environment. It’s not possible to click your heels together three times and ask for a cloud-compatible version of all your controls.

The FCA (financial conduct authority) published specific guidance for this very reason. But changing the mind-set takes time, and I’m not sure it can always keep pace with technology changes.”

*

"Did the cloud take away engineers jobs?" I ask Tim. He sat up straight and took his finger off the rim of his coffee cup for the first time during our discussion and starts to fidget with his wedding ring while letting out a chuckle. "Not at all. it was the least of our worries. Although a couple of engineers moved to service providers - they felt like the job opportunities would be better there. I guess we still pay their wages, just not directly anymore.

If anything, the cloud gave us more work. Since we adopted cloud, I've been given approval to recruit two more FTE's because the security workload and concerns have increased significantly. We've got our traditional environments to monitor, but now we also have our cloud environments. These are new for us. We could do a better job at cloud-specific threats, but for now we're ok. It's a bit of a pain in that regard as you could say it's almost doubled our workload. My team is split between those who manage all our existing systems and those that are responsible for managing cloud-only security. It works, but it's like a giant scar. I guess we'll make it work... somehow."

* *

“What would you say your biggest security challenge has been?" I ask Jack. Skype lags slightly and I worry we may get disconnected. Thankfully we aren’t.

"How many eggs and how many baskets can you carry. That's what I'm always asking myself. Conventional wisdom says not to put all your eggs in one basket. But it's a whole lot easier protecting one basket than a dozen eggs scattered all over the place.

Man, you would not believe how tough it can be to keep on top of all your environments. Juggling cloud, on-premises, SaaS, PaaS, IaaS - everything takes a lot of effort and you know, I'm all about getting the most returns from the least amount of effort.

If I were an attacker, I'd just use this complexity to my advantage. I can guarantee you none of these large companies have the full picture of what they're running and where. If I started attacking a company's different cloud providers as well as on premises infrastructure the IR teams would not put the attacks together. They'll be treated as separate attacks and stretch already thin teams even further. It's like a game, man, and you're the game-master."

Entering a new reality

The oft-quoted saying is that you wait a long time for a bus, and then two turn up at once. True technology disruption doesn’t happen very often, but we’ve witness it arrive twice with mobile and cloud. Both have impacted multiple industries and forced businesses as well as consumers to change their practices.

Cloud, in particular, has shifted how many businesses operate. Changing what skills are needed, how resources are managed, and raised the bar of customer expectation.

As Tim reminded me, change is inevitable, but progress is highly dependent on how the company chooses to react to it.

Cloud comes with risk, both in the conventional sense of being negative, but also as a positive risk, or opportunity. Businesses need to be educated on both sides so that the appropriate mind-set can be adopted. Otherwise there’s the danger that security risks won’t be evaluated properly and the controls deployed could be ineffective.

Other than the mind-set and risk management position that Karen referred to, the biggest technical challenge from a security perspective would be maintaining a holistic view of threats across the entire infrastructure. Linking together attacks and suspicious activity that may cross over on-premises datacentres as well as the cloud becomes critical.

With more and more critical business data residing across different environments, not having an integrated security and risk strategy could result in businesses adopting the cloud, only to find themselves going the way of the pager company.

* The names of interviewees have been changed to retain anonymity.

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL